KDE must reduce non-SEEK spending by nearly $18 million over next five months under Gov. Bevin’s budget directive; officials urge local attention to data security...

KSBA eNews Service, Frankfort, Jan. 29, 2016

Commissioner Pruitt: Will do “everything we can" to protect funding, too early to estimate local impact of cutsBy Brad Hughes

Education Commissioner Stephen Pruitt pledged to the state’s superintendents Thursday that his agency will press home to legislators the importance of protecting funding for public schools.

During the Kentucky Department of Education’s monthly superintendent webcast, Pruitt discussed the “interesting little week here in Frankfort” – weather that closed state offices for the first time in two decades followed by Tuesday night’s spending cut-and-budget-proposal address by Gov. Matt Bevin.

The webcast also included an update on the work of the commissioner’s task force on program reviews, a look at education-related bills that have been filed in the legislature and a presentation encouraging district leadership to pay attention to protecting student and staff data.

Spending reductions “loom large”

According to Associate Commissioner for Administration and Support Robin Kinney, KDE’s new chief financial officer, Gov. Matt Bevin’s budget calls for a “proportionate” 4.5 percent reduction of most programs funded through the agency during the current fiscal year, or roughly $17.9 million. For perspective, she said, KDE’s operating and personnel budget for the full fiscal year is approximately $25 million.

The governor’s proposed FY 2016-17 and 2017-18 budget would reduce KDE spending – outside of SEEK – by an additional $35.8 million each fiscal year. (See earlier eNews story on details.)

“They’re big amounts. They loom large for us,” said Kinney, quickly adding, “We’re just starting. We call this the long session for a reason because it will take many, many versions, and changes and iterations (to get) to what this budget will look like at the end. This is just the first step. We want to be thoughtful and plan well, especially in the event that the 4.5 percent cut is upon us.”

Pruitt said KDE would be an advocate for necessary K-12 funding as the budget is considered by the General Assembly.

“We are going to do everything we can to protect our public schools and our public school dollars,” Pruitt said. “As we go through this process and the work that we have to do about the budget reductions, we are going to do our very best to ensure that we protect the funding for our local school districts, area technology centers and schools for the deaf and blind. From a priority perspective, I want everybody to hear that clearly. We will do everything we can to ensure the dollars that directly affect children are utilized and maximized to protect them.”

Asking by one superintendent if KDE would be providing districts with projections of local impacts from the spending cuts, Pruitt said experience has taught him to wait before issuing guesses.

“Unfortunately I’ve had to go through this before,” said the former chief of staff of the Georgia Department of Education. “Until we know what we’re actually dealing with, we will not be sending out estimates. I get why people ask for them, but it’s been my experience that when you send them out, people don’t see that watermark that says ‘EXAMPLES’ or “ESTIMATES.’ People range from ‘Oh my gosh, what are we going to do?’ to ‘Hey, great, I’ve got more than I thought I would.’

“So, I think it’s a little early (but) we will certainly provide all the assistance that we can. We’ll be glad to answer any questions that we can, but it’s been my experience that estimates generally add to a problem,” Pruitt said.

Data security: It's personal

More than half of the 55-minute webcast focused on encouraging greater district, school and personal attention to protecting what officials labeled PII – personally identifiable information. Associate Commissioner for Knowledge, Information and Data Services David Couch and Bob Hackworth, the chief data security officer in the agency’s Division of Engineering, repeated a message Pruitt addressed in last week’s remarks on the state of public education in Kentucky: schools must do more to guard against external access to private information about students and district personnel.

“Data security is the responsibility of everyone – not just your technology staff,” Couch said. “This is one the boringest things until it goes bad, and then everyone wants to know why we didn’t prevent a pretty major event. The message is what can we do to try to get this on the radar screen of everyone?”

Two laws passed by the 2015 legislature address both what qualifies as a “data breach” and how districts are to communicate such an attack to the state. One aspect of those laws requires districts to inform local school boards annually where its PII is maintained and how it is protected, and how it is not being protected.

“There are hundreds of different ways to protect your information, but you can only afford so many of them,” Hackworth said. “You really want to make sure that you’re keeping the data as secure as you need but not spending money needlessly on extra security that doesn’t really matter.”

KDE has produced a Data Security Best Practice Guide for use by districts, and perhaps more importantly, by district personnel.

“As hackers run into our security systems, they’ve discovered that it’s easier to hack the people than it is to hack our computers,” Hackworth said.

Couch and Hackworth shared several important tips for all school personnel:

·Everyone doesn’t have the same need for access to PPI, regardless of the individual’s job.

Couch and Hackworth said hackers sometimes pretend to be an information technology “help desk.”

“We had a district this week where a phisher pretended to be the superintendent, and asked a finance clerk to send all of the W2s to him through the email,” Couch said. “The clerk did an amazing job, and replied that’s not information normally sent via email and it would be provided tomorrow, and then she noticed when she went to reply, she noticed that the superintendent’s email address had changed to a generic email address. That was a second huge win that prevented a potentially devastating breach of data and of money.”

Another case cited was the problem of putting sensitive data on a device to take home for work there.

“It’s the same thing as taking your entire district’s filing system on paper and putting it in the back of your truck, and then driving around town with it,” Couch said. “Encrypt it, put locks on it, put it in the trunk of your car.”

“Security can be very boring until you learn you don’t have as much as you need. We’re responsible for security of information about the children in your districts,” said Hackworth.

The full webcast will be archived for viewing on the KDE website via its Media Portal.